Revoke or Edit Access From Access Reviews

This section has information on the following:

  • Request the removal of an identity access to a specified role or entitlement

  • Remove a permission of member from an account group

  • Remove access to a managed entitlement from an identity

  • Remove a profile or included role from a role

  • Edit the values of specific entitlement attributes or permission on identity-type access reviews

Note: Entitlements must be configured on the application to enable editing from the access review pages.

For revocation on individual roles, if a role contains required or permitted roles that are not used in any other roles for this identity, a dialog displays enabling you to make revocation decision on each of those included roles. By default all included roles, that are not used in other roles for this identity, are marked for removal. If you perform bulk revocation this function is overwritten.

On periodic access reviews, by default, no action is taken on a revocation request until the access review containing this item is signed off or the challenge period expires, if the challenge period is active. This is done to ensure that no entitlement is removed until final confirmation is received from the requestor. This default behavior can be overwritten when the access review schedule is created.

Revocation is done automatically if your provisioning provider is configured for automatic revocation through help ticket generation or if your implementation is configured to work with a help desk solution. Without the automatic configurations, revocations are done manually using a work request assigned to a IdentityIQ user or workgroup. If an access review requires that multiple revocation requests be sent to the same IdentityIQ user or workgroup they are rolled up into one work item.

For identity-type access reviews, the revocation process can also include the challenge and revocation periods. The challenge phase is the period during which all revocation requests can be challenged by the user from whom the role or entitlement is being removed or modified. The revocation phase is the period during which all revocation work must be completed. The revocation phase is entered when an access review is signed off or when the active and challenge phases have ended.

Type the following information in the revocation dialog and click Revoke.

Note: This dialog is not displayed if a default revoker was specified as part of the IdentityIQ configuration.

Recipient

Type the full name of the revoker to whom you are assigning this work item. The recipient can be an identity or a workgroup. Typing the first few letters of a name displays a pop-up menu of IdentityIQ users and workgroups with names containing that letter string.
If automatic remediation is enabled or a default revoker was specified for the application to which the entitlements are associated, the recipient specified here is overwritten.

Comment

(Optional) Any additional information needed for this revocation.

Edit Revocation Details

Only available if the entitlement is configured for modification. One line displays for each entitlement contained in this revocation request.
Operation – select the operation to perform, Remove or Modify.
Attribute – attribute name that the attribute or permission is associated.
Value – if are modifying the entitlement, select or type the new value.
Application – application to which the entitlement is associated.
Account ID – login ID of this identity on the application specified.